Garryowen | 16 Feb 2022 6:15 a.m. PST |
My shortcut on Google, and a link to one of our pages here on TMP I posted to another wargaming website are producing a message with the following information: "This site can't provide a secure link uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH Unsupported protocol The client and server don't support a common SSL protocol version or cipher suite." What does the above mean? How can I leave a link to a TMP page on another website and avoid this? I have been pasting and coping the link, then pasting it onto my post at the other wargaming site. Thanks for any help. Tom |
35thOVI | 16 Feb 2022 6:48 a.m. PST |
Try typing this into your Google search engine err_ssl_version_or_cipher_mismatch Sometimes clearing your history and cache will fix this Also your virus software could be stopping it. The first thing is the easiest to try |
35thOVI | 16 Feb 2022 6:52 a.m. PST |
Although if you are copying a link back to TMP on another site, your history/cache does not seem to be the issue. Perhaps their site does not feel TMP is secure. Sorry I'm not much more help. But read what Google gives you back on the query on the error. |
Stryderg | 16 Feb 2022 6:55 a.m. PST |
Short answer: type "http://theminiaturespage.com" in your address bar. Long answer: SSL is an protocol used to create secure connections to website, ie. it defines how info going to/from the website should be encrypted. HTTPS uses SSL TMP doesn't use HTTPS, it uses the older HTTP protocol. So when you visit, all of the data going to/from TMP is unencrypted and in clear text. If I had a packet sniffer on your network, I would be able to read the pages that you are getting from TMP. That's a problem if TMP were a bank, not a problem for a miniatures page. Google has a problem with trying to dictate how the internet works. They want everyone using HTTPS, so when you type in "theminiaturespage.com", Google "fixes it for you" by adding "https://" to the front instead of "http://". And it kicks up an error, because their "fix" doesn't. |
35thOVI | 16 Feb 2022 7:33 a.m. PST |
Excellent answer. Much better than mine. |
Garryowen | 16 Feb 2022 11:32 a.m. PST |
Thanks to both of you. I have been typing TMPs URL into my web browser and not having any problem. I will pass this on to the guys on the other site. Tom |
Mr Elmo | 16 Feb 2022 2:11 p.m. PST |
TMP has been giving me a Not Secure warning for a while now. As others have said, it's the TLS/SSL thing. Meaning everything you type and send to the server is unencrypted: this message, your login password, everything. |
Dadster | 16 Feb 2022 2:52 p.m. PST |
Means this site does not have https:/ – secure http:/ To the best of my knowledge this site has always been that way. Antivirus packages will give you a warning regarding any sites which are using nonsecure https:/ http: – is is fairly inexpensive to get a licenses for a well trafficked site, and I don't know why this site doesn't have it – it's really a no-brainer – especially if anything is sold from/on the site. |
etotheipi | 16 Feb 2022 3:05 p.m. PST |
especially if anything is sold from/on the site. Nothing is. |
Saber6 | 16 Feb 2022 3:59 p.m. PST |
SSL certificates are not without cost and providers are making site owners renew more frequently. Used to be 5 years, then 2 and most are 1 year. And depending on the hosting arrangement there may be additional charges to install/update. |
Dadster | 16 Feb 2022 8:36 p.m. PST |
1 year for 99 bucks. I have one for my online store. Well worth the money. |
Bunkermeister | 16 Feb 2022 9:03 p.m. PST |
So if someone was skilled and interested they could hack us and learn we are reading and writing about little army men? And NSFW photos of scantily clad females with bikini armor? And maybe spoofing someone on the market place? Or what about signing up for a membership or advertising, is that secure? I likely don't know enough about it to ask reasonable questions. When I took computer class in college we used punch cards. Mike Bunkermeister Creek Bunker Talk blog |
Mr Elmo | 17 Feb 2022 5:11 a.m. PST |
SSL certificates are not without cost I know war gamers are incredibly cheap but Tabletop Gaming News seems to be able to afford one. Maybe TMP needs a "get out of the 90's" Go Fund Me |
Dadster | 17 Feb 2022 7:10 a.m. PST |
Amen to that Elmo. Especially a site with Advertising, lots of members and paid subscriptions should be Https: But hey it's just an opinion.
|
etotheipi | 18 Feb 2022 9:04 a.m. PST |
So, actually understanding the business is not essential to making a decision about how to execute it? Just do what other people are doing, that's the smart business approach? |
Mr Elmo | 18 Feb 2022 10:42 a.m. PST |
Just do what other people are doing, that's the smart business approach? I think it's more about the site projecting a disregard for basic security. |
etotheipi | 18 Feb 2022 12:00 p.m. PST |
"Basic security" of what? |
Editor in Chief Bill | 18 Feb 2022 2:47 p.m. PST |
Especially a site with Advertising, lots of members and paid subscriptions should be Https: I think it's more about the site projecting a disregard for basic security. Why? Please elucidate. |
Mr Elmo | 19 Feb 2022 7:10 a.m. PST |
Why? Please elucidate. First, anyone visiting with a modern browser is warned to stop. Then I start to wonder: what else is bad? For one thing, your password recovery system leaks information. I only know this because it's quick and easy to try. I wonder what an actual Pen Test would find and would you be alerted if I did? |
etotheipi | 19 Feb 2022 12:28 p.m. PST |
First, anyone visiting with a modern browser is warned to stop. Then I start to wonder: what else is bad? So you make your decision on what a corporation tells you, not understanding what is going on. For one thing, your password recovery system leaks information. I only know this because it's quick and easy to try. So, what information? I doubt you can answer since you haven't so far. I wonder what an actual Pen Test would find and would you be alerted if I did? Most of what you are suggesting is highly illegal in most parts of the world (using pen test techniques on a server without the owner's permission). I would recommend you tread lightly and call a lawyer. And the answer, in general, is yes the server admin would be alerted. A "pen test" is not a thing, but an approach to executing a large range of tasks using a variety of tools. They are designed to range from "noisy" techniques that are easy to detect up to very "quiet" ones. Pretty much every system out there falls somewhere along the spectrum of various approaches. I suppose, in theory, you could design a system that didn't detect some "noisy" techniques. There is no such thing as a system that can't be attacked without being detected. So, if your browser is giving you a "green"/"red" assessment, that is fundamentally worthless as it lacks an appropriate degree of context. As a former offensive cyber operator, I loved targets where people had the simple view. |
Editor in Chief Bill | 21 Feb 2022 5:22 p.m. PST |
For one thing, your password recovery system leaks information. I only know this because it's quick and easy to try. How in the world does it 'leak information'? |
Mr Elmo | 22 Feb 2022 7:38 p.m. PST |
How in the world does it 'leak information'? Your system told me We cannot send you an email reminder, since no email address is on record for this membership account. I could use this to figure out which emails you do or do not have. Conventional security is to use something like "An email reminder has been sent if that email is on record". Or something like that. |
etotheipi | 23 Feb 2022 9:23 a.m. PST |
The difference you're talking about is whose convention? Certainly not NIST or OWASP. In fact, every credential verification system leaks this information. If it lets you in, the credential was good. So, how many hundred million email addresses did you try, and what was your hit rate? What you're talking about is a trade between usability and risk value. |
Mr Elmo | 25 Feb 2022 6:14 p.m. PST |
I have not read much that is more stupid in my life. It's like #1 on the OWASP cheat sheet: Return a consistent message for both existent and non-existent accounts. |
etotheipi | 25 Feb 2022 11:10 p.m. PST |
Well, if you're going to use the cheat sheets instead of the actual standards, I recommend at least understanding what they say. The line you are quoting is about a response about whether or not you typed in the right response to a pw reset request. What you demonstrated on TMP is being told there is no email address associated with a specific user account name. You're not getting a response to an attempted email address. Even if you found an account that had an email associated with it, you are not entering or being told what that email address is. So basically, you can use trial and error on this part of the system to find the account names that are at the top of every post. And you could know that they do or don't have an email on file with the site. Not what it is, just that it exists. Sorry. I didn't understand that you misunderstood what was happening and thought a principle like that applied in the case you were discussing. |